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1.1. Audit Objectives 

This audit was carried out based on the following control objectives: 

• Existence and adequacy of appropriate hospital ICT governance structures and processes; 

• Compliance of security practices with HSE ICT policies; 

• Existence and adequacy of controls to protect sensitive patient data at network level; 

• Existence and adequacy of controls to protect sensitive patient data at local hospital application level; 

• Existence and adequacy of controls in place to ensure the effective operational performance of ICT; 

• Adequacy of the methodology employed and integrity of patient records arising from the combination of 
the PAS records of the CUH, South Infirmary and Mercy Hospitals. 

1.2. Key Findings 



Analysis of Key Findings 





National 


Regional 


Local 


Total 


High 


2 


2 


5 


9 " 


Medium 


4 


1 


20 


25 


Low 


1 




7 


8 


Total 


7 


3 


32 


42 



Key Findings - Ranking Priority - High 
National 
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Regional 

3. Information Security Governance: An ICT Governance Framework to ensure that access to the 
hospital sensitive data is controlled and restricted to only authorised staff is not in place. The auditors 
noted that an ICT Governance Group was established in the South Region, however, a number of gaps 
were noted and are detailed later in this report. 
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9. ICT Budgeting: At present no formal budget is prepared by ICT or by the hospital on the basis of 
existing commitments and known expenditure, and at the date of the audit (March 2012) no ICT budget 
had been established for 2012. In addition, it is apparent that a number of specific ICT expenditure items 
are not accounted for under the ICT budget for 201 1 , rather they are reported under other cost headings. 
It is not clear whether they are reported under the ICT Expenditure - Start of Year Submission' (to the 
ICT Control Section, CMOD, Department of Finance) by National ICT. 



Key Findings - Ranking Priority - Medium 



National 



10. ICT Key Performances Indicators: The auditors noted that there are no Service Level Agreements 
(SLAs) agreed between the business and the ICT department. ICT performance is not measured against 
specific / defined targets. 



11. Reporting Structures, Roles and Responsibilities: A lack of clarity between the roles and 
responsibilities of the local ICT department in CUH and the HSE South Region ICT department was 
apparent in the course of the audit., Although meetings are held between the local ICT department within 
CUH and the HSE South Region ICT department, it appears that a formal reporting structure is not in 
place. It was also understood that the CUH ICT department had little or no input into the National HSE 
ICT Strategy. 

12. ^ " r "^'*J^y^T^__* ' """"TV* 1 ! Limited resilience is in place to protect CUH 
critical servers and data in the event of damage to the CUH data centre due to the lack of resilience in 



13. Notepad found in the CUH car park: While this is an out of scope finding, the auditors are obliged to 
note and notify that a folder containing sensitive employee information was found by the auditors on the 
machine for paying the parking tickets. 
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Regional 




Local 

15. ICT Steering Committee: Whilst an ICT Steering Committee is in place, the group would only appear to 
be project focused. The Steering Committee does not provide oversight or review of: ICT standard 
performance metrics or targets; ICT operational budgets, reporting against budget; data management 
and Data Protection; security management, or policy compliance. 

16. Reporting on Policy Compliance or Exceptions: A process to formally report on the implementation 
of, or compliance with, National ICT Security Policies is not in place. Where non-compliance with the 
policies existed, these gaps had not been formally reported to the National ICT Directorate as required in 
the policies. As a consequence, hospital management cannot provide an adequate level of assurance 
that the National ICT Security Policies are implemented, as requested by the HSE's CEO in his 
communication to all National Directors regarding Data Protection on the 10 th August 201 1 . 

17. Business Staff Awareness: A number of business users were interviewed by the auditors to assess 
their knowledge of the Encryption, Remote Access, Access Control, and Passwords Standards National 
ICT Policies. Staff were either not aware of any of the policies (50%), aware of the existence of the 
policies but not of their content (31%), while 19% were aware of and acknowledge having read, at most, 
one of the policies. All users informed the auditors that they have received no training in relation to any 
of the policies and have not been asked to accept them. While the policies may be rolled out at a 
National level, there is little evidence to suggest they are being implemented at a local hospital level and 
user awareness of the contents and controls outlined in the policies is poor. 

18. ICT Staff Awareness: ICT staff have a mixed level of awareness of the National ICT Policies. The audit 
found that although CUH ICT management and staff are aware that National ICT Policies exist they are 
not aware of their content, the audit revealed that there is no direct communication of these policies to 
CUH ICT staff. Staff have had no training on the use and/or application of these policies. CUH ICT does 
not monitor the level of compliance with the policies and there is no requirement to report compliance 
levels to HSE ICT. 

19. Active Directory Joiners Process Gaps: There is no formal / documented User Access Management 
procedure that documents the process for creating active directory accounts and issuing network rights 
in line with HSE policy and business requirements. The National HSE Systems Access Request Form is 
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not used, a local application form is in place within CUH that requires Line Managers' authorisation. 
However, the auditor tested a sample of new members of staff selected from a report provided by HR 
and determined that 13.3% of the forms were not authorised (i.e. not signed by Line Managers). I 




20. Leavers Process Gaps: A formally documented procedure for revoking the access of leavers and 
movers is not in place. A process is in place to disable all accounts that have been inactive for a period 
of ^| days or more, however, this process is not in line with the Access Control Policy as that indicates 
9 days. 

21. Movers Process Absence: A process is not in place in CUH to ensure that network access such as 




shared folders and specialist applications granted to a member of CUH staff is revoked when they 



change role within the hospital. 




24. Active Users Reviews: The threshold for identifying inactive accounts is not in line with the HSE Access 
Control Policy threshold of | days. | | network accounts were identified as being inactive for over| 
days. While a process is in place for removing inactive accounts, through substantive testing the auditors 
were able to determine that | | accounts have been inactive for over | | days and have not been 
moved to the Disabled OU (Organisational Unit) as required under CUH procedure. 

25. Users' Access Rights Reviews: A formal process for the review of the level of access granted to users 
on the network is not in place within CUH. The auditor was unable to identify information owners for each 
department who are responsible for reviewing access rights within their department. This does not meet 
the requirements of the HSE Access Control Policy that states that the Information Owners or their 
nominees must continually monitor access to their information systems and that they must perform 
quarterly reviews of the systems they are responsible for. 
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27. IPMS Administrative Access: 
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32. Presence of Possible Duplicates: Data analysis was performed on the merged PAS databases of the 
CUH, South Infirmary and Mercy Hospitals. The data analysis performed on over 1 .241 million records 
indicates the presence of 239,594 possible duplicate records (19.30% of the total) that need to be 
analysed by the Medical Records staff to assess whether these records could be merged or not. The 
auditors acknowledge that a similar process was carried out by local management; a proposal was 
drafted and at the time of audit this was being reviewed. 

33. Data Collection Process: The data analysis performed on over the 22,302 records entered in IPMS 
after the data migration process was completed shows the presence of records that appear to be 
duplicates or that do not contain all key fields filled-in, the auditors used the 1 st of August 201 1 as a cut- 
off day. It appears that 5,530 records (33%) entered after the date of data migration contain errors. 

34. ICT Helpdesk Performance: The performance of the CUH ICT Helpdesk is not measured. CUH ICT 
management informed the auditor that 3 Service Level Agreements exist between ICT and the Bantry 
General Hospital, the Mallow General Hospital, and the Blood Transfusion Service; however, ICT is not 
formally committed to respond to issues with defined times and service standards. Service desk 
performance statistics/reports are neither produced nor communicated to Senior Management. 

Key Findings - Ranking Priority - Low 

Findings rated as low priority are detailed in section 2.7 of this report. 
1.3. Management Comment 

There are significant issues raised within this audit which require a lot of input from outside of Cork University 
Hospital, and the focus from within CUH is on delivering on what can be achieved within the resources 
available and the constraints that exist with regards to scope of responsibility. We will liaise with HSE ICT in 
relation to certain findings where the onus of responsibility for those findings lies with them. 

The ICT Department within Cork University Hospital is very small (7.5WTE) in comparison with other major 
academic teaching hospitals. We do have additional project resources (2 WTE) made available by HSE ICT 
and we depend heavily on HSE ICT Infrastructure & Operations (HSE South) for the delivery of practically all 
infrastructure and infrastructure support. This service within the HSE South is also very small in numbers and 
they also have to provide input in to a lot of national l&O projects on top of their work in the HSE South. 

Cork University Hospital values and recognises the role that ICT can play in a large modern healthcare 
organisation, however, we are constrained in terms of how we can resource this service. There are a large 
number of projects involving ICT which are currently active and there is a real issue around balancing 
resources and priorities to deliver on these projects whilst at the same time dealing with the findings of the 



HSE Internal Audit Directorate 



Page 9 of 63 



Report: Cork University Hospital IT General Controls (ITGC) Confidential 

internal audit. The actions against the findings have, by necessity, realistic delivery time frames. This will 
require us to recognise and carry the identified risk against the findings until we can achieve a resolution. 

There are a number of common themes and inter-relationships across and between the findings and there is 
therefore some commonalty in terms of the management response and the corrective actions. There are two 
key actions arising out of this whole exercise which will help in the overall ICT governance / controls arena - 
1) the production of a hospital ICT Management Plan and 2) the production of an ICT Handbook for line 
managers. 

The EMB receive an ICT briefing from the ICT Manager every three months as part of the existing hospital 
governance framework, and the actions arising out of this audit will be reviewed by the EMB at these regular 
reviews. 



1.4. Audit Opinion 

The auditors noted the existence of management controls and initiatives including the migration of data to a 
managed storage area network. However, the overall assessment of the IT General Control environment in 
place in Cork University Hospital can be considered to be inadequate due to the significant number of high 
and medium findings identified at national, regional and local hospital level during the audit. There are a 
significant number of gaps in relation to the management and protection of sensitive data, which is stored in 
the ICT resources managed within the Hospital (e.g. applications and network). 

This opinion reflects the fact that although the audit took place at local hospital level, some of the ICT 
services within the scope of review are not provided directly by Cork University Hospital ICT, but are the 
responsibility of HSE South ICT. 

The audit opinion also considers the fact that at the date of the audit, the suite of National ICT Policies has 
been in existence across the HSE for two years however the implementation of the suite of policies within the 
hospital has not been fully realised. The controls specified in the suite of National ICT Policies represent best 
practice and a stronger level of control than that which was in place in Cork University Hospital at the time of 
the audit. 



1.5. Acknowledgement 
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Section 2 - Main Report 



Cork University Hospital IT General Controls (ITGC) 



Ref: ICTA014ISDA0712 



2.1. Introduction 

This audit was carried out as part of the agreed audit plan for the HSE for 2012. Mazars was contracted by 
the HSE's Internal Audit Directorate to undertake an internal audit of the IT General Controls in place in Cork 
University Hospital (CUH). 

2.2. Background 

CUH is one of the largest University teaching hospitals in Ireland. Within the services offered by the hospital 
there are Cancer Services, Cardiac Services (Heart), General Surgery / Vascular Surgery / Urology, 
Paediatrics (Children's Services), Psychiatry and Radiology (X-Ray). It is also known as the Cork Regional 
Hospital and primarily treats patients from Cork and Kerry which have a combined population of more than 
600,000 people. 

CUH ICT manage and support the Hospital's main ICT resources including the critical combined patient 
administration system (PAS) IPMS application which, after a significant data migration project to merge 3 
separate databases, is used and accessed by Cork city's Voluntary (non-HSE) hospitals, Mercy University 
Hospital (MUH) and the South Infirmary Victoria University Hospital (SIVUH). 

HSE South ICT manages and provides the following ICT services to the Hospital: 

• Active Directory infrastructure; 

• Network management. 

2.3. Audit Objectives 

This audit was carried out based on the following control objectives: 

• Existence and adequacy of appropriate hospital ICT governance structures and processes; 
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• Compliance of security practices with HSE ICT policies; 

• Existence and adequacy of controls to protect sensitive patient data at network level; 

• Existence and adequacy of controls to protect sensitive patient data at local hospital application level; 

• Existence and adequacy of controls in place to ensure the effective operational performance of ICT; 

• Examine combined Patient Administration System (PAS) of CUH, South Infirmary and Mercy Hospitals - 
methodology and record integrity. 

2.4. Audit Scope 

The purpose of this audit was to determine the existence and adequacy of controls in place which support 
the management of ICT and which protect data within the Cork University Hospital only. 

This scope of the audit focussed on a detailed assessment of the controls in place in the following areas: 

• ICT governance; 

• HSE ICT policies; 

• Patient data security at network level; 

• Patient data security at application level; 

• Operational performance of ICT; 

• Patient record integrity and approach to the migration of data from legacy to current PAS systems in 
CUH. 

2.5. Audit Methodology 

The audit work was performed in accordance with the auditors' understanding of the proper interpretation of 
the law and in accordance with best practice as represented by: 

• Institute of Internal Audit (IIA); 

• Information Systems Audit and Control Association (ISACA) - CobiT standards. 
Target Maturity Level 

The long term goal of the HSE is to move to a control maturity level of 4: "Managed and Measurable". The 
audit approach was aligned with this objective and was conducted against a target maturity level of 2 
("repeatable but intuitive") as specified by CobiT. Level 2 definition states that "processes have developed to 
the stage where similar procedures are followed by different people undertaking the same task. There is no 
formal training or communication of standard procedures, and responsibility is left to the individual. There is a 
high degree of reliance on the knowledge of individuals and, therefore, errors are likely". 

Local, Regional or National Deployment Model 

This was conducted at a local level in Cork University Hospital (CUH) only. 
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ICT Audit Intervention Model 

A level 5 intervention model was adopted. Detailed testing of certain areas was performed where the cause 
and effect is direct, and where the impact and the likelihood of a risk occurring was considered to be high. 



2.6. Ranking of Findings 



1. The main findings, control weaknesses noted or suggested areas for improvement are ranked as high, 
medium or low and are dealt with in order of priority in the following paragraphs. 



2. The rankings used are described below: 



High j Identifies a control area which poses a key risk to the HSE and/or its service users and 
clients (e.g. strategic, operational, financial (including VFM) or reputational) and where 
serious control weaknesses are preventing the effective management of that risk and should 
be addressed immediately. 

Medium | Identifies a weakness in control which, while its implications are not as serious as the above, 
or the control itself not as fundamental to the operation of the system, nevertheless 
represents a risk to the HSE and needs to be addressed in order to reduce that risk to an 
acceptable level. These should be dealt with in the short term. 



Low Identifies a procedure or control that needs improvement in order to operate in a more 

effective way and should be addressed in the short to medium term. 



Some risks identified will have implications for the HSE nationally and therefore require consideration 
on a broader basis. Any risks identified that may have national implications will be denoted with an (N) 
e.g. High (N), Medium (N) and Low (N). 
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2.7. Key Findings, Risks and Recommendations 

Listed hereunder are the findings, risks and recommendations associated with this report together with a time schedule for the implementation of the 
recommendations. 



Key Findings 



1. Integrated Patient Management System (IPMS) 
Password Controls 

Password controls in place on the IPMS system are not 
in line with the ICT Passwords Standards Policy. The 
following gaps are apparent: 



I 



I 
I 
I 





Ranking: High (N) 



Possible Implications 



In the absence of strong 
password controls to the 
IPMS, there is an 
increased risk of 
unauthorised access to 
the system. 





Recommendations 





I 
I 




Management Response 



This cannot be viewed in isolation as users 
within CUH access a number of systems as 
part of their daily working routine. The 
complete rectification of this requires the 
implementation of the Self-Service component 
of the || Password Manager. This has 
been discussed between CUH ICT and HSE 
South l&O and a plan will be drawn up for the 
implementation. This will need to go through 
local change control procedure and will 
require extensive testing prior to 
implementation in Production environment. 
This will facilitate the enforcement of required 
password controls. 
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Key Findings 


Possible Implications 


Recommendations 


Management Response 














^^^^^^^ 








Where these requirements 








cannot be enforced (e.g. 








due to technical limitations 








of the application) then a 








non-compliance exception 








should be raised to the 








HSE's National Director of 








ICT. 








Responsible Officer: 








Information Services 








Manager CUH / IT 








Technical Support Manager 








Implementation date: Nov 








2012 




2. Presence of Unauthorised Data Disk Shares in 


Where access is not 


The Organisation should 


This has been on the HSE South l&O agenda 


CUH & South Region 


restricted, there is a risk 


restrict access to network 


for some time and we have been working with 


Unauthorised shares were found on HSE South | 


of unauthorised and 


locations, shares, folders 


them on the rationalisation of 'shares' within 




inaDDraoriate access to 


and files containina 

ul IU 1 1 1 sJ Wl 1 Lul 1 III IU 


CUH We will connDlete fhe re-oraanisation of 

S_/u> II. V ¥ w tt ¥ III vVI 1 lulv 11—- 11 1^ It \Jl 1 1 UuU \J 1 1 vl 




sensitive and personal 


sensitive data to authorised 


server based shares in CUH by the end of 




information through file 


users only. This access 


July 2012. The issue with^ shares is in 




shares on the network. 


should be granted in line 


identification of same - we will continue to 




This risk is increased 


with business roles and 


work on this and remove when identified and 
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Key Findings 


Possible Implications 


Recommendations 


Management Response 




when everyone is granted 


responsibilities, and 


AD group policy will be applied to prevent 




access to the shares 


rgujovved Deriodicallv 


creation of new shares 












Where access is not 


Staff should be instructed 


Shares elsewhere in the HSE South will have 




restricted, there is a risk 


as to use only shared 


to be dealt with by the individual units and 




of unauthorised and 


folders created on a 


their relevant ICT support personnel. 


^^^^^^^^^^^^^^^^ 


inappropriate access to 


centralised server build up 






sensitive and personal 


for this purpose. 


All new shares within CUH will be controlled 




information through file 




through CUH ICT. 




shares on the network. 


Existing shares should be 






This risk is increased 


moved on the centrally 






when "evervone" is 


manaaed servers used for 






granted access to the 


files sharing (as they are 






shares (often this is the 


subject to regular backups 






standard setting for 


and adequate physical 






Windows shares). 


access controls), while 








users should be prevented 








(e.g. technically) from being 










able to create sharesH 




iRanking: High (N) 




g 




















g 


Responsible Officer: 










Information ^ervioeQ 
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Manager CUH 










Implementation date: July 










2012 
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Key Findings 


Possible Implications 


Recommendations 


Management Response 




























Moreover, shares not 








saved on central server 








may not be backed up on 








a regular basis, and 








where data is 








inadvertently deleted 








there is a risk of the data 








not being restored. 






3. Information Security Governance 


Information security may 


An ICT Governance 


CUH will define an Information Governance 


An ICT Governance Framework to ensure that access 


not be enforced within the 


Framework should be put in 


Policy as part of an overall ICT Governance 


to the hospital sensitive data is controlled and restricted 


hospital. This may result 


place to ensure that access 


Framework in accordance with recently 


to the only authorised staff is not in place. The auditors 


in: 


to the hospital sensitive 


published HIQA guidelines. We will need to 


noted that an ICT Governance Group was established 


• Breach of the Data 


data is controlled and 


liaise with other entities in doing this and 


in the South Region, however it appears that: 


Protection Act{s) 


restricted to only authorised 


ultimately will need a shared Information 


* Responsibility for enforcing IT security is not 


where personal data 


staff. At a minimum the 


Governance Policy with those entities. 


formally assigned; 


disclosures take 


following should be defined 




* Data owners or business owners are not identified 


place; 


within the framework: 




for the internal systems 1 applications; 


• Patients' erroneous 


• Assign responsibility 




* Data access is not formally reviewed; 


medical treatments 


for enforcing ICT 




* A data classification schema (or similar document) 


where patient data 


security; 




that informs Information Owners on the categories 


integrity is 


• Identify data owners 




of data (e.g. sensitive personal. HSE confidential, 


compromised. 


and business owners 
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Key Findings 


Possible Implications 


Recommendations 


Management Response 


etc.) and ICT custodians about the level of 




for all key internal 




protection required to protect data was not in place; 




systems / applications; 




* A proactive security management program at an 




• Perform formal reviews 




organisational level was not evident during the 




on a regular basis of 




course of the audit, i.e. monitoring, testing and 




the level of access 




reporting of compliance against standards and 




granted to sensitive 




policies; 




data; 




• Management at hospital level with responsibility for 




• A data classification 




implementing policies are not required to report on 




^rhptna (nr similar 

Sul ICi Mu I KJl O III III CI 1 




ICT security policy compliance. 




document) is 








introduced for the 








categorisation of data 








(e.g. sensitive, 








personal, HSE 








confidential, medical, 








etc.) and the level of 








protection required to 








protect the data is 








defined; 








• A proactive security 








management program 








at an organisational 








level is defined (i.e. for 








the monitoring, testing 








and reporting of 








compliance against 
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Key Findings 


Possible Implications 


Recommendations 


Management Response 






standards and 








policies); 








• Management at 








hospital level are 








assigned responsibility 








for implementing 








policies and for 








reporting on ICT 








security policy 








compliance. 








Responsible Officer: CUH 








Executive Management 








Board 








Implementation date: Dec 








2012 




4. Access Controls on the | | Childcare System 
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Key Findings 


Possible Implications 


Recommendations 


Management Response 
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Key Findings 


Possible Implications 


Recommendations 


Management Response 






South | | System 








Manager 








Implementation date: 








June 2012 




5. Passwords Disclosure 
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This will be achieved in conjunction with the 
implementation of the resolution of key finding 
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Key Findings 




|Ranking: High 



6. Network Passwords Requirements 




Possible Implications 




Recommendations 



Responsible Officer: 

Information Services 
Manager CUH 
Implementation date: Nov 

2012 




Management Response 
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^^^^^^^^^ 


The issues identified around passwords will 
be dealt with as part of key finding 1 . 








^^^^^^^^^^^^^^^^ 
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Ranking: High 
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Responsible Officer: 








Information Services 








Manager CUH / IT 








Technical Support Manager 








Implementation date: Nov 








2012 
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7. IPMS User Access Management 
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Responsible Officer: 




















Information Services 






















Manager CUH / IT 










jRanking: High 












Technical Support Manager 
Implementation date: Dec 
2012 
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8. Sensitive Data Accessible on Shares 


I 




Response to key finding 4 applies. 
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Responsible Officer: 








Information Services 








Manager CUH 




■ 




Implementation date: Dec 








2012 
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9. ICT Budgeting 


The full and accurate cost 


An ICT Budget should be 


CUH ICT will engage with CUH Finance to 


At present no formal budget is prepared by ICT or by 


of ICT may not be 


prepared on the basis of 


ensure that the budget reflects the 


the hospital on the basis of existing commitments and 


accurately captured and 


existing commitments and 


requirements, in so far as is practical. 


known expenditure and at the date of the audit (March 


in addition accurately 


known expenditure and it 




2012) no ICT budget had been established for 2012, 


report to CMOD. 


should include at a 


This is already in place and covered by 


inter alia: 




minimum the following, inter 


annual submission to CMOD in Dept of 


• Contracts and thus commitments in place; 




alia: 


Finance. 


• Ongoing maintenance; 




• Contracts and thus 




• Hardware and/or software upgrades; 




commitments in place; 




• Projects already committed to. 




• Ongoing maintenance; 








• Hardware and/or 




Thereby establishing what if any discretionary spend is 




software upgrades; 




feasible and the manner in which ICT expenditure can 




• Projects already 




be financed. 




committed to. 




We appreciate that project budgets are prepared an in 




In particular, management 




addition a periodic cost containment meeting is chaired 




should ensure that all ICT 




by the CEO of CUH to examine costs and the manner in 




expenditure items are 




which costs can be reduced and/or allocated. 




accounted for under the 








ICT Budget and reported 




The 201 1 nominal ICT target budget was €658k and 




under the ICT Expenditure - 




actual expenditure was in fact €1 .217m. 




Start of Year Submission' 








{to the ICT Control Section, 




In addition, it is apparent that a number of specific ICT 




CMOD, Department of 




expenditure items are not accounted for under the ICT 




Finance) by National ICT. 




budget and it is not clear if they are reported under the 
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ICT Expenditure - Start of Year Submission' (to the ICT 
Control Section, CMOD, Department of Finance) by 
National ICT e.g. 

• Approximately €200k paid directly and via St. 
James's hospital relating to a Claimsure system in 
2011 (procurement approach unclear); 

• Payments made to AGFA (€300k approx. in 201 1 ) 
relating to the use of the SAN, which was originally 
procured to support a radiology project but had 
been extended and is currently predominantly use 
as a key IT infrastructure component for the 
majority of CUH data. 

|Ranking: High 




Responsible Officer: 
Information Services 
Manager CUH 
Implementation date: Dec 

2012 




10.ICT Key Performances Indicators 

The auditor noted that there are no Service Level 
Agreements (SLA) agreed between the business and 
the ICT department. The ICT performances are not 
measured against specific / defined targets. 

|Ranking: Medium (N) 


It may not be possible to 
identify if the service 
provided by the ICT 
department is adequate to 
adequately support the 
business and their 
business needs. 


Management should define 
formal SLAs for the 
services provided by the 
ICT department to the 
business. 

Responsible Officer: 

Information Services 
Manager CUH 
Implementation date: N/A 


In order to provide a SLA to the business 
community we would need to either have 
control over all of the components of the 
service or have a SLA with the units providing 
all of the components of the service. Neither 
of these case scenarios exist, and the first 
one will never exist. The provision of 
managed and measured SLA's for all 
components of all ICT services provided to 
the business community is not a task for 
which a timeline can be set at the moment. 
When SLA's are provided for HSE services 
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external to CUH then this issue can be re- 
visited. 

The identified risks and implications will be 
notified to the CUH Executive Management 
board and will be noted as risks. 

No further action proposed. 


11. Reporting Structures, Roles and Responsibilities 

A lack of clarity between the roles and responsibilities of 
the local ICT department in CUH and the HSE South 
Region ICT department was apparent in the course of 
the audit. 

Although meetings are held between the local ICT 
department within CUH and the HSE South Region ICT 
department, it appears that a formal reporting structure 
is not in place. 

It was also understood that, although an operational 
draft ICT Strategy is being circulated between the HSE 
ICT South and the CUH ICT Department, the CUH ICT 

Dpnart/Tipnt had littlp nr nn innut intn thp HSF'^ N^tinn^l 

L/C vJ d 1 LI 1 Id 1 1 1 1 GIU II LLIC Ul 1 l\J II IUU L III l\J LI IC 1 1 \J 1— 9 1 ^iCI Ll^wT 1 CI 1 

ICT Strategy. 


The HSE's National ICT 
Management may not be 
aware of the local issues 
within the CUH ICT 
department, such as not 
adherence to the National 
HSE ICT Policies or the 
impossibility to achieve 
the ICT National 
objectives that would be 
drafted in the ICT 
Strategy. 

In addition certain key ICT 
tasks may fall between 
stools due to a lack of 
clarity as to where 
responsibility lies. 


Formal communications 
and reporting channels 
should be implemented 
between the local CUH ICT 
Department and the HSE's 
National ICT Department. 

These should also allow for 
a formal assignment of 
responsibilities for the 
provision of ICT services, 
between the local, regional 
and National ICT 
Departments. 

Responsible Officer: 

Information Services 
Manager CUH 


There is a good working relationship between 
the HSE and the CUH ICT services. We work 
in partnership on a range of projects and on 
on-going day to day issues. The 
implementation of formal roles and 
responsibilities has not been undertaken due 
to resource constraints as the ICT staff have 
concentrated on the delivery of an ICT service 
to the end users. 

Two issues are specifically mentioned here; 

1 . Lack of clarity locally around roles and 
responsibilities. It was made clear during 
the course of the audit that there was no 
issue locally with this, but the audit view 
is different from the local view. In order to 
provide further clarity on this a 
Memorandum of Understanding will be 


Ranking: Medium (N) 
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Implementation date: Sept 


drafted and agreed by all parties. 








2012 










Responsible Officer: 


2. Formal communications channel between 








Acting Head of National ICT 


CUH ICT and HSE ICT. This is a matter 








/ Information Services 


for HSE ICT to address as it has 








Manager CUH 


implications for other hospital ICT 








Implementation date: 


departments also. CUH will work with 








March 2013 


HSE ICT on this and help to develop a 










communications framework between 










national ICT and hospital ICT 










departments. 


12| | Resilience 


There is a risk of 


Manaqement should ensure 


A programme of work has commenced 


Limited resilience is in piace to protect CUH critical 


extended ICT services 


that resilience is 


between CUH and the HSE South l&O to 


servers and data in the event of damage to the CUH 


unavailability {i.e. CUH 


established for the key ICT 


provide resilience on| |. This 


data centre( 


servers and data) if a 


resources | 


involves the installation of hardware at both 




Hamanp affpfte thp Ol IH 




P,l IH anH P,FH and thp i i^p nf a 'Hark fihrp' 

OWI 1 CI [ 1 U \-f 1 \J QIILJ 1 1 1 C UJC \JI O U CI 1 fx 1 1 U 1 C 




data centre. 




connection between the sites. The^( Site 






Rp^non^ihlp Offirpf 


Rpnliraiinn M^nanpr ^ntrwsrp \cin\ ^pt wifl hp 

1 \vUllvCIUwl 1 ItIQI IQUtl 9UIIYVCII w LWI 9d Will w w 








Acting ICT Tech Support 


used to achieve the required resilience. The 








Manager 


server hardware has already been delivered 


jRankinq: Medium (N) 






Implementation date: Nov 


to site. The full implementation will take 








2012 


substantial testing and will need to be fully 










documented. 
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13. Notepad found in the CUH car park 


Sensitive staff or patients' 


Management should ensure 


This has been notified to the relevant 


While this is an out of scope finding, the auditors are 


data may be disclosed in 


that staff receive adequate 


individual and Department and also to the 


obliged to note and notify that a folder containing 


breach of the Data 


training in relation to 


HSE South Consumer Affairs Department 


sensitive employee information was found by the 


Protection AcMs'i 


information security and 

1 1 1 1 '1 III U LI Ul 1 1 1 1 jr ■ w4 1 1 U 


/from a DP Dersoective^ 

III V III U. 1 ' 1 -Jr K-^^w vll V *w f i 


auditors on the machine for paying the parking tickets. 




that they are aware of the 










risks associated with 


Issue communicated on 29 th May 2012. 


I? an ic \ n n ■ MpH ii im f M \ 
rvdl 1 Ml ly. IVICUIUIII \\*f 






mismanagement of 










sensitive data. 


No further action proposed. 








Compliance testing should 










be carried out on a regular 










basis to reduce the risk of 










inappropriate behaviour. 










Responsible Officer: 










Information Services 










Manager CUH 










Implementation date: 










June 2012 




14.lntrusion Detection System (IDS) 
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^^^^^^^^ 
































g 


^^^^^^^^^^^^^^^ 


















Ranking: Medium| 




















r\c-jij^j i loikiic v 1 1 i^t i . 








Information Services 








Mananpr pi jh 

IVIul ICIUCI vU 1 1 








Implementation date: July 








2012 




















15.ICT Steering Committee 


There is a risk that the 


Management should 


The existing ICT Steering Group has fulfilled 


Whilst an ICT Steering Committee is in place, the group 


ICT Steering Committee 


expanding the range of 


the function set out initially which was around 


would only appear to be project focused and does not 


will not focus on or be 


topics addressed by the 


overall project governance and acting as a 


provide oversight or review of: 


aware of other ICT risks 


ICT Steering Committee to 


project board for a number of projects. 


* ICT standard performance metrics or targets; 


outside of project risk. 


include subjects such as: 




* ICT operational budgets and reporting against 




• ICT reporting 


The current ICT Steering Group will be 


budget; 




processes (e.g. ICT 


disbanded and a new ICT Governance Group 


• Data management and Data Protection; 




application 


with revised membership and revised terms of 


* Security management; 




performance, security 


reference will be established within CUH. 


* Policy compliance. 




incidence, network 
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issues and similar 




Ranking: Mediuml 




activities); 








• Budgeting; 








• Data Management; 








• Security Management; 








• Policy Compliance. 








Responsible Officer: CEO 








CUH 








Implementation date: Oct 








2012 




16.Reporting on Policy Compliance or Exceptions 


The absence of an 


Management should 


Such a reporting mechanism will be put in 


A process to formally report on the implementation of, or 


effective assurance 


consider the introduction of 


place and we will work with HSE ICT 


compliance with, National ICT Security Policies is not in 


process increases the risk 


a formal report of the 


nationally on the practical implementation of 


place. 


of non-compliance with 


implementation of 


these policies which are published without 




the National ICT Security 


compliance with national 


implementation plans and without associated 


Where non-compliance with the policies existed, these 


Policies (which are critical 


ICT security policies. 


technical resources being provided. 


gaps had not been formally reported to the National ICT 


to ensuring Data 






Directorate as required in the policies. 


Protection compliance in 


Responsible Officer: 






respect to automated 


Information Services 




As a consequence, hospital management cannot 


data) will go unreported. 


Manager CUH 




provide an adequate level of assurance that the 




Implementation date: 




National ICT Security Policies are implemented, as 


As a consequence, senior 


March 2013 




requested by the HSE's CEO in his communication to 


management may not be 






all National Directors regarding Data Protection on the 


fully aware of Data 






10th August 2011. 


Protection risks until an 
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incident occurs. 






Ranking: Mediuml 








17. Business Staff Awareness 


In the absence of an 


A training and awareness 


As part of the revised ICT Governance 


A number of business users were interviewed by the 


appropriate level of end- 


programme related to the 


framework, a programme of staff awareness 


auditors to assess their knowledge of the Encryption, 


user awareness of the 


ICT policies should be 


will be undertaken. This is not a once off 


Remote Access, Access Control, and Passwords 


National HSE ICT Policies 


established for business 


event so there is no completion date. The 


Standards National ICT Policies: 


there is an increased risk 


staff to promote the 


date below is the date on which it will 


• 50% are not aware of any of the policies; 


that a data breach or data 


implementation of the ICT 


commence. The manager's ICT Handbook will 


* 31 % of users are aware of the existence of the 


security incident may 


policies across the 


be a key part of this programme. 


policies but not their content; 


occur resulting in 


Organisation. 




• 19% are aware of and acknowledge having read, at 


reputational, financial and 






most, one of the policies (Password Standards or 


operational damage to 


Management should 




Encryption). 


CUH and the HSE. 


consider the following: 
• Using the existing 




100% informed the auditors that they have received no 




training portal 




training in relation to any of the policies and have not 




www.hseland.ie or an 




been asked to accept them. 




organisation-wide 
poster campaign to 




While the policies may be rolled out at a National level, 




inform and update end- 




there is little evidence to suggest they are being 




users on ICT policies; 




implemented at a local hospital level and user 




• Establishing a user- 




awareness of the contents and controls outlined in the 




awareness roadshow 




policies is poor. 




for delivering seminars 
on information security, 




Ranking: Medium! 




ICT acceptable use 
and informing end- 
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users of the 








requirements of the 








approved ICT policies. 








Responsible Officer: 








Information Services 








Manager CUH 








Implementation date: Jan 








2013 




18.ICT Staff Awareness 


In the absence of CUH 


A formal communication 


This will be undertaken immediately. 


ICT slaff have a mixed level of awareness of the 


ICT staff having a 


process to make CUH ICT 




National ICT Policies The audit found that although 


thorough and up-to-date 


staff aware of the National 




CUH ICT management and staff are aware that National 


knowledge of the ICT 


ICT Policies should be 




ICT Policies exist, they are not aware of their content, 


policies, there is a risk 


established. Management 




the audit revealed that there is no direct communication 


that services supported 


should also, on a regular 




of these policies to CUH ICT 


by CUH ICT may not be 


basis, provide updates on 






in line with HSE 


policy requirements to staff 




Staff have had no training on the use and/or application 


requirements. 


and ensure that these 




of these policies and have not been asked to formally 




requirements are 




sign up to their acceptance of policies. 




understood and applied. 




CUH ICT does not monitor the level of compliance with 




Responsible Officer: 




the policies and there is no requirement to report 




Information Services 




compliance levels to HSE ICT. 




Manager CUH 








Implementation date: July 




Ranking: Medium! 




2012 
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19.Active Directory Joiners Process Gaps 


There is a risk that 


CUH should consider the 


This will be put in place. 


There is no formal / documented User Access 


unauthorised and 


development and 




Management procedure that documents the process for 


inappropriate access 


implementation of a User 




creating active directory accounts and issuing network 


could be granted to the 


Access Management 




rights in line with HSE policy and business 


CUH network where a 


procedure in line with the 




requirements. The National HSE Systems Access 


defined User Access 


National HSE Policy 




Request Form is not used to grant user access to the 


Management Policy is not 


standards that defines at 




CUH network in line with the HSE Access Control 


in place that requires 


minimum the following: 




Policy. 


formal application and 


• Requirements for 






authorisation by a defined 


creating accounts; 




A local internet and email application form is in place 


member of CUH prior to 


* DpfinpH li^t of 




within CUH that requires Line Managers' authorisation. 


access being granted. 


authorisers; 




However, the auditor tested a sample of new members 


^^^^^^^ 






of staff selected from a report provided by HR and 




authorisers for each 




determined that 1 3.3% of the forms were not authorised 




^harprl Hrivp" 

■J 1 1 d 1 ~ H kjl 1 V C j 




{i.e. not signed by Line Managers). 




* UdlMCvJ II5L Ul WMU ^afl 








auinonsea access to 








applications | 








• Rpuipw nrnr^p^^ with 

l\CV ICVV k/l Will 1 








HR ensure that access 








is revoked when 








members of staff either 




|Ranking: Medium! 




leave or no longer 








require access; 








• Review of shared 








folder with business 
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owner on a periodic 








basis to ensure that 








access is in line with 








business requirements; 








• Review of | | access 








to applications with 








systems owners to 








ensure that only 








members of staff that 








require access can run 








applications via| 








Responsible Officer: 








Information Services 








Manager CUH 








Implementation date: Oct 








2012 




20. Leavers Process Gaps 


There is a risk that 


A formal process should be 


We will establish such a procedure in 


A formally documented procedure for revoking the 


members of staff may 


developed to ensure that all 


conjunction with HR. 


access of leavers and movers is not in place. 


continue to have access 


CUH accounts (both 






to patient data when they 


network and applications 




A process is in place to disable all accounts that have 


no longer require it. This 


accounts) are disabled as 




been inactive for a period of ^| days or more; 


may result in breach of 


soon as a member of staff 




however, this process is not in line with the Access 


Data Protection 


leaves the Organisation. 




Control Policy which indicates that: "User access 


legislation. 


This process should include 




accounts which have been inactive for J consecutive 




a notification process from 
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days or more must be suspended unless instructed 




HR. 




otherwise by the user's line manager." 












Responsible Officer: 








Information Services 
Manager CUH 
Implementation date: Oct 

2012 
















■ 








^^^^^^^^^^^^^^^ 
















































|Ranking; Medium! 
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21. Movers Process Absence 


There is an increased risk 


A formal process should be 


We will establish such a procedure in 


A process is not in place in CUH to ensure that network 


that Hospital staff may 


developed to ensure that 


conjunction with HR. 


access such as| | shared folders and specialist 


have inappropriate or 


when a staff member 




applications granted to a member of CUH staff is 


unauthorised access to 


moves within the 




revoked when they change role within the hospital. 


personal and personal 


Organisation, his/her 






sensitive patient data 


previous level of access 




Rankinq: Medium! 


potentially leading to a 


{e.g. application profiles, 






data breach impacting the 


shares access) is removed 






reputation of the hospital. 


unless otherwise specified 








before new access is 








granted. 








Movements within the 








Organisation should be 








tracked, for example by the 








HR department, to allow 








audit and regular reviews. 








Responsible Officer: 








Information Services 








Manager CUH 








Implementation date: Oct 








2012 




22.AD Generic Accounts 
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g 
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^^^^^^^^^^^^^^^^^^^ 








^^^^^^^ 




1 




















g 




^^^^^^^^^^^^^^^^^^^ 








g 




Responsible Officer: 








Information Services 








Manager CUH 








Implementation date: Dec 








2012 




|Ranking: Medium] 
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23.AD Administrators 
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g 




g 


_ 








g 




g 
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iRanking: Medium! 




























Responsible Officer: 

Information Services 
Manager CUH 
Implementation date: July 
2012 
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24.Active Users Reviews 

The threshold for identifying inactive accounts is not in 
line with the HSE Access Control Policy threshold of| 
days. ^| accounts were identified as being inactive for 
overH days. 

While a process is in place for removing inactive 
accounts, through substantive testing the auditors were 
able to determine that^| accounts have been inactive 
for over days and have not been moved to the 
Disabled OU {Organisational Unit). 


There is a risk that 
inactive accounts are not 
being correctly disabled 
which may result in 
leavers / movers / 
absentees retaining an 
active account with 
varying levels of access 
to potentially sensitive 
information. This risk is 
increased if IT has a 
limited oversight of the 
leaver / mover process or 
receives limited 
notification from HR. 


The Organisation should 
reduce the threshold for 
identifying inactive 
accounts to| days to be 
in line with HSE policy and 
ensure that the process of 
disabling inactive accounts 
is run regularly. 

Responsible Officer: 
Information Services 
Manager CUH 
Implementation date: 
March 2013 


The identification of leavers / movers is key to 
this. If we have a leaver and the account goes 
inactive we have no issue. However, if we 
have a leaver and the account remains active, 
then this process will not identify that. 

We will strive to improve this process, 
however this requires an input of resources 
and we have already identified the very limited 
resource pool within which we are operating. 


Ranking: Medium] 




25.Users' Access Rights Reviews 

A formal process for the review of the level of access 
granted to users is not in place within CUH. The auditor 
was unable to identify information owners for each 
department who are responsible for reviewing access 
rights within their department. 

This does not meet the requirements of the HSE Access 
Control Policy that states: 

Information owners or their nominees must continually 
monitor access to their information systems. They must 


There is a risk of 
inappropriate or 
unauthorised access to 
network resources within 
a department where 
formal review of access 
rights are not carried out 
with individual department 
management. 


CUH management should 
develop a formal network 
access review process in 
line with the National HSE 
Access Control Policy. 

Information owners should 
be identified for all 
departments and systems 
and their roles and 
responsibilities clearly 


This is linked to key finding 40 - Service 
Catalogue and to key finding 2 - Information 
Governance. 

This will also be included the manager's ICT 
Handbook. 
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perform quarterly reviews of the systems they are 




defined. 




responsible for, to ensure: 








* That each user access account and the privileges 




Quarterly reviews should be 




assigned to that account are appropriate and 




carried out with information 




relevant to that users current role or function; 




\J VV 1 CI 9 L\J CI OUIC II IQl 




* The information systems and the information 




access to the network (e.g. 




processed by the systems is only access and used 




shared drives) and 




by authorised users for legitimate reasons. 




applications | 






is only granted in line with 




Ranking: Medium! 




the departments business 








requirements. 








Responsible Officer: 








Information Services 








Manager CUH 








Implementation date: 








March 2013 
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26. Third Party AD Administrators 
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Responsible Officer: 

Information Services 
Manager CUH 
Implementation date: July 
2013 
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Responsible Officer: HSE 
IPMS Team 

Implementation date: Dec 

2012 
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28.IPMS Data Extraction Facilities 
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Responsible Officer: 




g 




Information Services 








Manager CUH 






g 










Implementation date: 


g 




g 


Usage analysis / 






g 


pniTrvntinn' Ann 7ri19 








Review use of alternate 






g 


tools: Dec 2012 
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29. Network Audit Logs 
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the togs); 
























^^^^^^^^ 
















Responsible Officer: 








Information Services 








Manager CUH / IT 








Technical Support Manager 








Implementation date: July 








2012 
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30.Server Security Patches 
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Responsible Officer: IT 

Technical Support Manager 
Implementation date: Oct 
2012 
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31. Use of USB keys 
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Responsible Officer: 
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Acting Head of ICT 








Services/ AND ICT l&O 
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32.Presence of Possible Duplicates 


It may not be possible to 


Management should 


The HSE South IPMS Project Team submitted 


Data analysis was performed on the merged PAS 


correctly identify all IPMS 


consider the approval and 


a Data Quality Improvement Plan to the 


databases of the CUH, South Infirmary and Mercy 


accounts (and hence to 


implementation of the 


Project Board and Area Manager in Dec 201 1 . 


Hospitals. The data analysis performed on over 1 .241 


retrieve all medical 


project proposed for the 


Approval for this plan was given in May 201 2 


million records indicates the presence of 239,594 


information) related to a 


identification and clean-up 


and July 2012 has been set as the start date 


possible duplicate records (1 9.30% of the total) that 


patient. Key information 


of the duplicates in place 


for this. The plan has a 12 month time frame. 


need to be analysed by the Medical Records staff to 


may consequentially not 


within the IPMS: 


This plan was made available to the auditors 


assess whether these records could be merged or not. 


be made available to 


• The medical record 


and does not need to be detailed here. 


These duplicates were identified with a 3 Points Match: 


medical staff and this may 


department should 




1 . Forename (exact forename or "sounds like" 


lead to incorrect patient 


allocate resources to 




forename); 


medical care. 


analyse the IPMS 




2. Surname (exact surname or "sounds like" 




records that could 
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surname); 




potentially be 




3. Valid date of birth (DoB). 




duplicates (e.g. records 








identified as duplicates 




The auditors acknowledge that a similar process was 




based on the 3 Points 




carried out by local management; a proposal was 




Match); 




drafted and at the time of audit this was being reviewed. 




• The identified 








duplicates should be 




Ranking: Medium! 




merged. 








Responsible Officer: 








Information Services 








Manager CUH 








Implementation date: Aug 








2013 




33.Data Collection Process 


It may not be possible to 


The process of collecting 


Response to key finding 32 applies. 


The data analysis performed on over the 22,302 records 


correctly identify all IPMS 


the data from patients 




entered in IPMS after the data migration process was 


accounts (and hence to 


should be improved to 




completed shows the presence of records that appear 


retrieve all medical 


ensure that: 




to be duplicates or that do not contain all key fields 


information) related to a 


• The new records 




filled-in, the auditors used the 1 at August 201 1as a cut- 


patient. Key information 


entered in IPMS allow 




off day. It appears that 5,530 records (33%) entered 


may consequentially not 


for a correct 




after the date of data migration contain errors. 


be made available to 


identification of 






medical staff and this may 


patients; 




This indicates that the duplicate identification process 


lead to incorrect patient 


• New duplicate records 




and the data collection process needs to be improved. 


medical care. 


are not entered; 




The issues identified could be summarised as follows: 




• All key fields necessary 





HSE Internal Audit Directorate 



Page 53 of 63 



Report: Cork University Hospital IT General Controls (ITGC) 



Confidential 



Key Findings 


Possible Implications 


Recommendations 


Management Response 


A. Errors, i.e. records that do not allow the 




to identify a patient are 




identification of a patient (32 records, 0.14%); 




entered in IPMS for 




B. Duplicates identified with a 4 Points Match (173 




both existing patients 




records, 0.78%); 




and new patients, they 




C. Duplicates identified with a 3 Points Match (544 




should be at least: 




records, 2.44%); 




o Forename; 




D. Poor quality of the information collected by staff for 




o Surname; 




4,781 records (28,51% of the new records) which 




o Date of birth; 




were identified based on the following analysis: 




o Address line 1 




i. Forename or surname which length is no more 




(street/road); 




than a character (12 records, 0.15%); 




o Address line 2 




ii. Alive (i.e. there is no date of death) patients 




(city); 




over 100 years old (poor reliance could be 




o Phone number. 




posed to these records - 3 records, 0.04%); 








iii. Empty address line 1 (usually a street or road 




Responsible Officer: 




-4 records, 0.05%); 




Information Services 




iv. Empty address line 2 (usually the city - 48 




Manager CUH 




records, 0.6%); 




Implementation date: Aug 




v. Empty phone number field (4,597 records, 




2013 




57.97%); 








vi. Invalid phone number field (1 1 7 records, 








1.74%). 








Ranking: Mediuml 
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34.ICT Helpdesk Performance 


There is a risk that the 


SLAs between CUH ICT 


In order to provide a SLA to the business 


The performance of the CUH ICT Helpdesk is not 


ICT Helpdesk may not be 


Helpdesk and the business 


community we would need to either have 


measured. CUH ICT management informed the auditor 


able to adequately 


should be defined and 


control over all of the components of the 


that 3 SLAs exist between ICT and: 


support the CUH 


agreed for the helpdesk 


service or have a SLA with the units providing 


• Ban try General Hospital; 


business in line with their 


support of critical CUH 


all of the components of the service. Neither 


• Mallow General Hospital; 


needs. As a result the 


systems and applications. 


of these case scenarios exist, and the first 


* Blood Transfusion Service. 


medical staff may not be 


Where the current 


one will never exist. The provision of 




able to carry out critical 


resources will not facilitate 


managed and measured SLA's for all 


The auditor was also informed that ICT is not formally 


hospital tasks. 


the expected service level 


components of all ICT services provided to 


committed to respond to issues with defined times and 




from the business a cost 


the business community is not a task for 


service standards. However, they endeavour to return 




benefit analysis should be 


which a timeline can be set at this time. 


service in the best possible time frames. 




carried out. 










When SLA's are provided for HSE services 


Service desk performance statistics/reports are neither 




Responsible Officer: 


external to CUH then this issue can be re- 


oroduced nor communicated to Senior Management 




Information Services 


visited. 






Manager CUH 




Ranking: Medium] 




Implementation date: July 


The identified risks and implications will be 






2012 


notified to the CUH Executive Management 








board and noted as risks. 








The SLA's identified are in place to satisfy 








external inspection of those areas and are not 








used as performance indicators. 








No further action proposed. 
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35. Network Segmentation 
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36.ICT Steering Committee Meetings 


The points / actions 


Management should 


Response to key finding 15 applies. 


The auditors obtained copies of two ICT Steering 


identified during the ICT 


consider documenting the 




Committee meeting minutes and noted that these 


Steering Committee 


ICT Steering Committee 




documents contains only the agenda of the meeting and 


meetings may not be 


Meetings in a more 




the agreed points. It appears that the following details 


implemented timely due 


comprehensive manner to 




are not formally documented: 


to lack of ownership and 


include at least the 




* Details of the members that attended the meeting; 


ambiguity of deadlines 


following: 




* Indication of who took responsibility for performing 


agreed. 


• Details of the members 




the agreed actions; 




that attended the 




• Deadlines for implementing the agreed actions. 




meeting; 








• Points discussed and 




Ranking: Low 




actions agreed; 








• Indication of who took 








responsibility for 








performing the agreed 








actions; 








• Deadlines for 








implementing the 








agreed actions. 








Responsible Officer: CEO 
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CUH 








Implementation date: Oct 








2012 




37.Network Issues Notification Emails 


There is a risk that 


The Network Manager 


During core working hours there is constant 


Review of the network monitoring tools in place in the 


network issues are may 


should consider either 


monitoring of network notifications. 


| (supporting the CUH network 


not be identified and 


implementing a Network 




infrastructure) identified that the monitoring tools are 


reacted upon in a 


Support Group mailbox or 


The issue with e-mail notification is only 


configured to send notification emails in the event of a 


proactive manner, where 


distributing email 


relevant to the out-of-hours scenario. There 


network performance issue or availability issue; 


email notifications are not 


notifications to all members 


are resource constraints within this unit which 


however, these emails are only sent to an individual's 


distributed to all members 


of the Network Team. 


are further constrained out of hours where 


mailbox rather than a group mailbox accessible by the 


of the network support 




only one member of the team is in a position 


rest of the team. 


team. This risk is reduced 


Responsible Officer: 


to receive notifications. This is why the e- 




due to the visual displays 


Information Services 


mails only go to one person. 


|Ranking: Low 


and audible alerts that are 


Manager CUH / Network 






in place within the 


Manager 


No further action proposed. 




Network support teams' 


Implementation date: July 






office environment. 


2012 
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38. Network Availability & Capacity Requirements 
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iRanking: Low 
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Responsible Officer: 








Information Services 








Manager CUH 








Implementation date: July 








2012 




39. Data Migration Issues 


It may not be possible to 


The ICT staff should 


Response to key finding 32 applies. 




Although a data clean-up process took place prior to 


correctly identify all IPMS 


perform a review of the 




and after the data migration steps, a number of issues 


accounts (and hence to 


IPMS records to: 




were identified by analysing the data extracted from the 


retrieve all medical 


• Inactivate the records 




IPMS system. 


information) related to a 


that do not allow the 






patient. Key information 


identification of 
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The data analysis performed over 1 .241 million records 


may consequentially not 


patients; 




shows the presence of 49,517 records (3.99%) that 


be made available to 


• Merge the records that 




should have been addressed as part of the data 


medical staff and this may 


are reasonably 




migration project. These exceptions could be 


lead to incorrect patient 


identified as duplicates 




summarised as: 


medical care. 


(e.g. where a 4 Point 




A. Errors, i.e. records that do not allow the 




Match is identified). 




identification of a patient (3,297 records, 0.27%): 








i. both forename and surname are not more 




Responsible Officer: 




than a character fong; 




Information Services 




ii. the date of birth is not valid plus it indicated an 




Manager CUH 




invalid forename or surname (e.g. it is empty, 




Implementation date: Aug 




or equal to "downtime", "upgrade" or 




2013 




"unknown"); 








B. Duplicates identified with a 4 Points Match (46,220 








records, 3.72%): 








i. Forename (exact forename or "sounds like" 








forename); 








ii. Surname (exact surname or "sounds like" 








surname); 








iii. Valid date of birth (DoB); 








iv. Address first line (if available) or Phone 








number (if available). 








Ranking: Low 
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40. Applications Identification 


There is a risk that all the 


Management should 


A service catalogue and associated 


A service catalogue is not in place for the identification 


applications and services 


identify and formally 


management and governance arrangements 


of all applications used within CUH, with the details of: 


provided to the business 


document all applications / 


will be documented for review and 


• Business owners; 


by ICT may not be 


systems used within CUH 


endorsement by revised ICT Governance 


• System administrators; 


identified. 


into a service catalogue. 


Group. 


* Sensitivity of the data held within the system. 












The catalogue should 




iRanking: Low 

1 -2 1 




include at a minimum the 








following information: 








• Business Owner; 








• System Administrator; 








• Sensitivity of the data 








held within the system. 








Responsible Officer: 








Information Services 








Manager CUH 








Implementation date: Dec 








2012 
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41. Laptops Encryption 


The presence of 


CUH should conduct a full 


Unencrypted laptops cannot gain access to 


A total of 24 laptops were sampled by the auditors and 


unencrypted laptops may 


review of all laptops in 


network. 


6 were found unencrypted (25%); however, these 


lead to non-compliance 


operation within CUH to 




unencrypted laptops could not get access to the HSE 


with the National HSE 


ensure that they are all 


A review of unencrypted laptops will take 


Network. 


Policy. In addition, even if 


encrypted. This process 


place based on information provided by 




not connected to the 


should include a periodic 


auditors and will be corrected. 


In fact, there is a process in place to block and log all 


network, sensitive 


review of the blocked laptop 




unencrypted laptops that attempt to connect to the CUH 


information could be 


log to ensure the all laptops 


Review of notifications carried out in early 


network. Review of the log obtained identified that: 


stored in these laptop 


that attempt to connect are 


June identified no unencrypted laptops 




using other methods (e.g. 
by using USB keys) and if 
the laptop goes missing it 
may result in a Data 
Protection breach. 


encrypted. 

Responsible Officer: 

Information Services 
Manager CUH 
Implementation date: Aug 

2012 


attempting to connect to the network. 
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Ranking: Low 
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At the lime of the audit the auditor was informed that a 


of Data Protection 


removal of all unencrypted 


service as planned and replaced with devices 
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capability of storing confidential or personal data were in 


that have the capability of 


continue with the 


| Solution. 


operation and not encrypted. The auditor acknowledges 


storing confidential or 


implementation of the new 




that a new( | solution currently 


personal data are not 


secure solution once fully 


No further action required. 


being evaluated. 


encrypted. This could 


tested. 






have a significant impact 






Ranking: Low 


on the reputation of CUH 


Responsible Officer: 






if such a device was to be 


Information Services 






found by the public. 


Manager CUH 








Implementation date: July 








2012 
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